Parse nodrop option

The nodrop option forces results to also include messages that do not match any segment of the parse term.

For all parse operators, messages must match at least one segment of the parse expression or they are dropped from the results. Adding the nodrop option forces results to also include messages that do not match any segment of the parse term.

Syntax

| parse "a=*," as <field> nodrop
In this case, messages that match a as well as all other messages are returned.

| parse "a=*," as <field1> nodrop | parse "b=*," as <field2>
In this case, messages that match either a or b are output. Everything else is dropped.

| parse "a=*," as <field1> | parse "b=*," as <field2>
In this case, both parse operators are implicitly dropping non-matching messages. This means only messages that match both a and b are output.

Recommended articles

Sumo Logic is the industry’s leading secure, cloud-native, machine data analytics service, delivering real-time, continuous intelligence across the entire application lifecycle and stack. More than 1,000 customers around the globe rely on Sumo Logic for the analytics and insights to build, run and secure their modern applications and cloud infrastructures.